summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorQuincey Koziol <koziol@hdfgroup.org>2007-03-16 09:59:31 (GMT)
committerQuincey Koziol <koziol@hdfgroup.org>2007-03-16 09:59:31 (GMT)
commit05af9a85f8315fefc743c9210113d71e04715389 (patch)
treedcfd87efd85070b5d5c7b92a480ac0825707d470
parent24fb6ed7c69e5a3f372c6b65eae8fa4ccba8db13 (diff)
downloadhdf5-05af9a85f8315fefc743c9210113d71e04715389.zip
hdf5-05af9a85f8315fefc743c9210113d71e04715389.tar.gz
hdf5-05af9a85f8315fefc743c9210113d71e04715389.tar.bz2
[svn-r13518] Description:
Add some sanity checking to improve the resilience of the object header decoding in the face of a bad reference, or a corrupted file. Tested on: Mac OS X/32 10.4.9 (amazon)
-rw-r--r--src/H5Ocache.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/src/H5Ocache.c b/src/H5Ocache.c
index 5259a8e..b2e86c9 100644
--- a/src/H5Ocache.c
+++ b/src/H5Ocache.c
@@ -301,6 +301,8 @@ H5O_load(H5F_t *f, hid_t dxpl_id, haddr_t addr, const void UNUSED * _udata1,
if(oh->flags & H5O_HDR_ATTR_STORE_PHASE_CHANGE) {
UINT16DECODE(p, oh->max_compact);
UINT16DECODE(p, oh->min_dense);
+ if(oh->max_compact < oh->min_dense)
+ HGOTO_ERROR(H5E_OHDR, H5E_VERSION, NULL, "bad object header attribute phase change values")
} /* end if */
else {
oh->max_compact = H5O_CRT_ATTR_MAX_COMPACT_DEF;
@@ -328,6 +330,8 @@ H5O_load(H5F_t *f, hid_t dxpl_id, haddr_t addr, const void UNUSED * _udata1,
default:
HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, "bad size for chunk 0")
} /* end switch */
+ if(chunk_size > 0 && chunk_size < H5O_SIZEOF_MSGHDR_OH(oh))
+ HGOTO_ERROR(H5E_OHDR, H5E_VERSION, NULL, "bad object header chunk size")
} /* end if */
else {
/* Version */
@@ -356,6 +360,9 @@ H5O_load(H5F_t *f, hid_t dxpl_id, haddr_t addr, const void UNUSED * _udata1,
/* First chunk size */
UINT32DECODE(p, chunk_size);
+ if((nmesgs > 0 && chunk_size < H5O_SIZEOF_MSGHDR_OH(oh)) ||
+ (nmesgs == 0 && chunk_size > 0))
+ HGOTO_ERROR(H5E_OHDR, H5E_VERSION, NULL, "bad object header chunk size")
/* Reserved, in version 1 */
p += 4;
@@ -369,7 +376,7 @@ H5O_load(H5F_t *f, hid_t dxpl_id, haddr_t addr, const void UNUSED * _udata1,
chunk_addr = addr + (hsize_t)prefix_size;
/* Allocate the message array */
- oh->alloc_nmesgs = nmesgs;
+ oh->alloc_nmesgs = (nmesgs > 0) ? nmesgs : 1;
if(NULL == (oh->mesg = H5FL_SEQ_MALLOC(H5O_mesg_t, oh->alloc_nmesgs)))
HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed")